marcusquinn · marcusquinn · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/.github/workflows/opencode-agent.yml b/.github/workflows/opencode-agent.yml
@@ -29,6 +29,18 @@ jobs:
   security-check:
     name: Security Validation
     runs-on: ubuntu-latest
+    # GH#4002: Skip when triggered by known review bots. Bot review comments
+    # (from CodeRabbit, Gemini, etc.) never contain /oc or /opencode triggers,
+    # but GitHub requires manual approval for workflow runs triggered by bot
+    # accounts, causing permanent action_required status on PRs.
+    if: >
+      github.actor != 'coderabbitai' &&
+      github.actor != 'gemini-code-assist[bot]' &&
+      github.actor != 'augment-code[bot]' &&
+      github.actor != 'augmentcode[bot]' &&
+      github.actor != 'copilot[bot]' &&
+      github.actor != 'github-actions[bot]' &&
+      github.actor != 'dependabot[bot]'
     # Needs write permissions to post rejection replies on untrusted comments.
     # Without this, the GITHUB_TOKEN defaults to read-only and the
     # createReplyForReviewComment/createComment calls fail with 403. GH#2973.

diff --git a/.github/workflows/review-bot-gate.yml b/.github/workflows/review-bot-gate.yml
@@ -32,11 +32,29 @@ jobs:
   review-bot-gate:
     name: Wait for AI Review Bots
     runs-on: ubuntu-latest
-    # Only run on PRs (issue_comment fires for PR comments too)
+    # Only run on PRs (issue_comment fires for PR comments too).
+    # GH#4002: Skip pull_request_review events from known review bots.
+    # GitHub requires manual approval for workflow runs triggered by bot
+    # accounts on pull_request_review and pull_request_review_comment events,
+    # causing permanent action_required status on PRs. The issue_comment
+    # event from bots does NOT require approval, so we allow it — this is
+    # the primary re-trigger path when a bot posts its review as a comment.
     if: >
-      github.event_name == 'pull_request' ||
-      github.event_name == 'pull_request_review' ||
-      (github.event_name == 'issue_comment' && github.event.issue.pull_request)
+      (
+        github.event_name == 'pull_request' ||
+        github.event_name == 'pull_request_review' ||
+        (github.event_name == 'issue_comment' && github.event.issue.pull_request)
+      ) && !(
+        github.event_name == 'pull_request_review' && (
+          github.actor == 'coderabbitai' ||
+          github.actor == 'gemini-code-assist[bot]' ||
+          github.actor == 'augment-code[bot]' ||
+          github.actor == 'augmentcode[bot]' ||
+          github.actor == 'copilot[bot]' ||
+          github.actor == 'github-actions[bot]' ||
+          github.actor == 'dependabot[bot]'
+        )
+      )
 
     permissions:
       pull-requests: read
@@ -53,8 +71,12 @@ jobs:
         run: |
           echo "Checking PR #${PR_NUMBER} for AI review bot activity..."
 
-          # Known review bot patterns (case-insensitive matching on login)
-          # Add new bots here as they are configured
+          # Known review bot patterns (case-insensitive matching on login).
+          # Add new bots here as they are configured.
+          # NOTE: This list differs from the job-level if-condition which also
+          # excludes github-actions[bot] and dependabot[bot]. Those bots are
+          # excluded from triggering this workflow but are NOT code review bots
+          # whose reviews we wait for.
           KNOWN_BOTS=(
             "coderabbitai"
             "gemini-code-assist[bot]"

diff --git a/configs/mcp-templates/opencode-github-workflow.yml b/configs/mcp-templates/opencode-github-workflow.yml
@@ -22,10 +22,22 @@ on:
 
 jobs:
   opencode:
-    # Only run if comment contains /oc or /opencode
-    if: |
-      contains(github.event.comment.body, '/oc') ||
-      contains(github.event.comment.body, '/opencode')
+    # Only run if comment contains /oc or /opencode.
+    # GH#4002: Also skip known review bots — their comments never contain
+    # trigger commands, and bot-triggered runs require manual approval,
+    # causing permanent action_required status on PRs.
+    if: >
+      (
+        contains(github.event.comment.body, '/oc') ||
+        contains(github.event.comment.body, '/opencode')
+      ) &&
+      github.actor != 'coderabbitai' &&
+      github.actor != 'gemini-code-assist[bot]' &&
+      github.actor != 'augment-code[bot]' &&
+      github.actor != 'augmentcode[bot]' &&
+      github.actor != 'copilot[bot]' &&
+      github.actor != 'github-actions[bot]' &&
+      github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
 
     permissions: